Sugarcoating KANDYKORN: a sweet dive into a sophisticated MacOS backdoor
Contents
Sugarcoating KANDYKORN: a sweet dive into a sophisticated MacOS backdoor
Thursday 3 October 14:30 - 15:00, Green room
Salim Bitam (Elastic)
KANDYKORN is a novel MacOS backdoor recently discovered by Elastic Security Labs during an intrusion targeting engineers at a prominent crypto exchange platform. With MacOS devices increasingly becoming prime targets, the discovery of KANDYKORN sheds light on new trends being adopted by cybercriminals and state-sponsored actors.
Operating covertly, KANDYKORN employs a feature-rich multi-staged loader paired with a custom network protocol to facilitate a range of post-compromise activities. Its diverse functionality includes capabilities that enable lateral movement and data exfiltration while allowing the adversary to remain under the radar.
In this talk, attendees will gain an in-depth understanding of KANDYKORN’s attack chain, its heavily obfuscated loader responsible for loading the backdoor reflectively in memory (a feature atypical in MacOS environments), and its usage of execution flow hijacking to achieve persistence. Through a detailed analysis of …
Thursday 3 October 14:30 - 15:00, Green room
Salim Bitam (Elastic)
KANDYKORN is a novel MacOS backdoor recently discovered by Elastic Security Labs during an intrusion targeting engineers at a prominent crypto exchange platform. With MacOS devices increasingly becoming prime targets, the discovery of KANDYKORN sheds light on new trends being adopted by cybercriminals and state-sponsored actors.
Operating covertly, KANDYKORN employs a feature-rich multi-staged loader paired with a custom network protocol to facilitate a range of post-compromise activities. Its diverse functionality includes capabilities that enable lateral movement and data exfiltration while allowing the adversary to remain under the radar.
In this talk, attendees will gain an in-depth understanding of KANDYKORN’s attack chain, its heavily obfuscated loader responsible for loading the backdoor reflectively in memory (a feature atypical in MacOS environments), and its usage of execution flow hijacking to achieve persistence. Through a detailed analysis of …